Net-based email filtering

ABSTRACT

A local gateway device receives email across the internet from a sender of the email and forwards it across the internet to an email filtering system. The email filtering system analyzes the email to determine whether it is spam, phishing or contains a virus and sends it back to the local gateway device along with the filtered determination. The local gateway device forwards the received email and the filtered determination to a local junk store which handles the email appropriately. For example, if the email has been determined to be spam, phishing or containing a virus, the junk store can quarantine the email and if the email has been determined to be non-spun and/or not phishing and/or not containing a virus, the junk store can forward the email to a local mail server for delivery.

CROSS-REFERENCE TO RELATED APPLICATIONS

The present application is a continuation and claims the prioritybenefit of U.S. patent application Ser. No. 13/155,819 filed Jun. 8,2011, which claims the priority benefit of U.S. provisional application61/353,183 filed Jun. 9, 2010, the disclosures of which are incorporatedherein by reference.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The invention is in the field of electronic mail (“email”), and moreparticularly in the field of filtering email for spam, phishing andviruses.

2. Description of the Related Art

Email has become a business critical form of communication. Resultantly,protecting email systems from attack, abuse and misuse has becomeincreasingly important.

Early attempts required directing all external email traffic to firstpass through a third-party system which provided various forms ofprotection, However, this required changing mail server addressing whichadded complexity, limited flexibility and was not always desirable.

Another prior approach was to place a protection device at the front-endof a local network to receive all external email traffic, An example ofthis approach is shown in FIG. 1 where a firewall device 130 is placedin front of a mail server 150. With this arrangement, firewall device130 receives all email traffic coming to a local protected network 140from a mail sender such as Mail Transfer Agent (“MTA”) 110 acrossinternet 120. Firewall device 130 typically provides services such asattack prevention and email virus scanning.

In order to provide protection against email spam, also known as junkemail, a separate device was typically placed between firewall 130 andmail server 150, as shown in FIG. 2, where an anti-spam appliance 145can be seen in communication between firewall 130 and mail server 150.Anti-spam appliance 145 receives emails from firewall 130 and preventsthose that are spam from reaching mail server 150. However, installing,configuring and managing yet another piece of equipment furthercomplicates things.

As a result, in a more recent prior approach, firewall 130 was sometimesreplaced by a Unified Threat Management (“UTM”) gateway device whichincorporated attack prevention, email virus scanning, anti-spamfunctionality, etc., into a single device. However, including this muchfunctionality into a single device increased cost and complexity andrequired the device to have greater processing, memory and storagecapacity.

It would be desirable to reduce such cost, complexity and devicecapacity, while still eliminating additional equipment, yet stillprovide a high level of protection services.

SUMMARY OF THE PRESENTLY CLAIMED INVENTION

In one embodiment is an email filtering process comprising the steps ofreceiving email at a UTM gateway from an MTA across a firstinternet-based communication connection, sending the received email fromthe UTM gateway to an Email Security Appliance across a secondinternet-based communication connection, receiving the email with afiltered status at the UTM gateway from the E Security Appliance acrossa third internet-based communication connection, and sending the emailwith the filtered status from the UTM gateway to a Junk Store across afirst local communication connection.

In a further embodiment, the email filtering process further comprises,before receiving email at the UTM Gateway from the MTA across a firstinternet-based communication connection, the steps of establishing thefirst internet-based communication connection between the UTM gatewayand the MTA, establishing the second internet-based communicationconnection between the UTM gateway and the Email Security Appliance,establishing the third internet-based communication connection betweenthe UTM gateway and the Email Security Appliance, and establishing thefirst local communication connection between the UTM gateway and a JunkStore.

In a still further embodiment, the email filtering process furthercomprises sending email filter processing rules from the UTM Gateway tothe Email Security Appliance.

In a yet further embodiment, the email filtering process furthercomprises processing the email at the Email Security Appliance todetermine whether it is a spam, phishing or virus containing email or anon-spam, non-phishing or not virus containing email and either givingthe email a filtered status indicating spam, phishing or viruscontaining if the email is determined to be a spam, phishing or viruscontaining email or giving the email a filtered status indicatingnon-spam, non-phishing or not virus containing if the email isdetermined to not be spam, not be phishing or not containing a virus.

In a still further embodiment, the email filtering process furthercomprises quarantining the received email at the Junk Store if the emailwith the filtered status indicates that the email is spam or sending thereceived email from the Junk Store to a local mail server if the emailwith the filtered status indicates that the email is non-spam.

In a yet still further embodiment, the email filtering process furthercomprises checking the reputation of the IP address of the MTA againstan allow list and a block list on the UTM Gateway.

In a yet further embodiment, the email filtering process furthercomprises checking the IP address of the MTA by the UTM Gateway checkingwith an IP Address Reputation Service.

In a yet still further embodiment, the email filtering process furthercomprises scanning the email received at the UTM Gateway from the MTAfor viruses before sending the received email from the UTM Gateway tothe Email Security Appliance.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram of a prior art system.

FIG. 2 is a diagram of another prior art system.

FIG. 3 is a diagram of one embodiment of the present system.

FIG. 4 is a flowchart of one embodiment of the present method.

DETAILED DESCRIPTION

A local gateway device receives email across the internet from a senderof the email, The local gateway device forwards the email across theinternet to a filtering system. The filtering system analyzes the emailto determine whether it is spam, phishing or contains a virus and sendsit back to the local gateway device along with the filtereddetermination. The local gateway device forwards the received email andthe filtered determination to a local junk store which handles the emailappropriately. For example, if the email has been determined to be spam,phishing or to contain a virus, the junk store can quarantine the emailand if the email has been determined to be non-spam and/or not phishingand/or to not contain a virus, the junk store can forward the email to alocal mail server for delivery.

In one embodiment, the local gateway device provides filtering rules(otherwise known as settings) to the external filtering system. In thisway, the local gateway device can control how email is to be processedby the filtering system and ultimately handled by the junk store andlocal mail server.

Communication between the local gateway device and the sender of theemail operates in a typical fashion thus eliminating need for anyinternet email addressing changes (e.g., no changes need to be made toMail Exchanger (“MX”) records held at public Domain Name Service (“DNS”)servers), etc. Further, as explained elsewhere herein, in someembodiments communication connections are established and maintained ina way to ensure integrity of the filtering operation. Offloading thefiltering processing to the external filtering system eliminates theneed for a local anti-spam appliance and also reduces processing, memoryand storage capacity requirements of such functionality which mightotherwise be performed within the local gateway device.

Referring now to FIG. 3, a diagram of one embodiment of the presentsystem can be seen. MTA 110 is any sender of email across internet 120.UTM Gateway 330 is UTM or firewall device comprising any combination ofhardware, software or firmware to perform threat managementfunctionality as well as the functionality described herein. ProtectedNetwork 140 is a communications network that is protected againstunauthorized access or use and can be a local area network, a wide areanetwork, a virtual private network, or any combination thereof, JunkStore 340 is a hardware and/or software facility that stores orquarantines spam, phishing, and virus containing email. Mail Server 350is a hardware and/or software server that provides email services. JunkStore 340 and Mail Server 350 may be physically separate servers or maybe combined in a single physical server. Reputation Server 310 is aninteract accessible server that keeps track of known good and known badInternet Protocol (“IP”) addresses, Email Security Appliance (“ESA”) 320is a server that performs email filtering as described elsewhere herein.It is to be understood that Reputation Server 310 and Email SecurityAppliance 320 may be physically separate servers, either co-located orin separate locations, or may be combined in a single physical server.

In a preferred embodiment, UTM Gateway is a UTM or firewall device, withsome portions comprising software provided on a computer readablemedium, all as sold by SonicWALL, Inc. of Sunnyvale, Calif., Junk Store340 is software provided by SonicWALL, Inc., on a computer readablemedium, Mail Server 350 is a Microsoft Exchange Server® software sold byMicrosoft, Corp. to be run on a server, and Reputation Server issoftware provided by SonicWALL, Inc. on a computer readable medium to berun on a server.

In operation, MTA 110 communicates across Internet 120 with UTM Gateway330 to establish a communication connection to send email from MIA 110to Mail Server 350. Optionally, UTM Gateway 330 communicates acrossInternet 120 with Reputation Server 310 to first check the reputation ofMTA 110. UTM Gateway 330 then communicates with Email Security Appliance320 across interact 120 to establish a communication connection. UTMGateway 330 also communicates across Protected Network 140 (e.g., alocal area network) to establish a communication connection with JunkStore 340. Junk Store 340 communicates across Protected Network 140 toestablish a communication connection with Mail Server 350.

Then, when MTA 110 sends email to UTM Gateway 330 across Internet 120,UTM Gateway 330 forwards that email across Internet 120 to EmailSecurity Appliance 320 for filtering. Email Security Appliance 320performs filtering on the forwarded email and sends it back acrossInternet 120 to UTM Gateway 330 along with a filtered determination. UTMGateway 330 forwards the email with the filtered determination acrossProtected Network 140 to Junk Store 340. Junk Store 340 then handles theemail according to the filtered determination. For example, if thefiltered determination indicates that the email is spam, phishing orcontains a virus, Junk Store 340 can quarantine the email and if thefiltered determination indicates that the email is non-spam and/or isnot phishing and/or does not contain a virus, Junk Store 340 can sendthe email across Protected Network 140 to Mail Server 350 for delivery.

Referring now to FIG. 4, a flowchart depicting one embodiment of thepresent method can be seen.

In Step 410, a communication connection is established between UTMGateway 330 and MTA 110. This occurs when MTA 110 contacts UTM Gateway330 on, for example, port 25 of UTM Gateway 330 with a Simple MailTransfer Protocol (“SMTP”) Terminal Control Protocol (“TCP”) handshakeSynchronize (“SYN”) message. To ensure that MTA 110 is a valid TCPendpoint, a modified handshake is used by UTM Gateway 330 by embedding acookie within a Synchronize-Acknowledge (“SYN-ACK”) response from UTMGateway 330 to MTA 110. The presence and value of this cookie isverified by UTM Gateway 330 when it is received with the final handshakeAcknowledge (“ACK”) sent by MTA 110 to UTM Gateway 330. If the cookie isnot present or is invalid in this ACK message, the attempted connectionfrom MTA 110 is refused by UTM gateway 330. This prevents attacks, suchas SYN Flood attacks, which could otherwise tie up resources throughproliferation of incomplete connections.

In Step 415, the reputation of MTA 110 is checked. In particular, areputation check is done on the IP address of MTA 110. The reputation ofMTA 110's IP address is checked by first consulting an allow list and ablock list within UTM Gateway 330. If the IP address of MTA 110 is foundon the block list within UTM Gateway 330, the connection with MTA 110 isrefused. If the IP address of MTA 110 is found on the allow list withinUTM Gateway 330 then the connection with MTA 110 is established and theprocess continues. If the IP address of WA 110 is not found on eitherthe allow list or the block list of UTM Gateway 330 then UTM Gateway 330checks the reputation of the IP address of MTA 110 with ReputationServer 310 by communicating across internet 120.

Reputation Server 310 looks up the IP address of MTA 110 within itsinternal database and sends a DNS answer to UTM Gateway 330 in the formof 127.0.0.X where X signifies the reputation of the IP address.Exemplary possible values for X are:

-   -   nnn.0.0.1: MTA 110 is not a known spam source    -   nnn.0.0.2: MTA 110 is an open relay    -   nnn.0.0.3: MTA 110 is a dialup spam source    -   nnn.0.0.4: MTA 110 is a spam source    -   nnn.0.0.5: MTA 110 is a smart host (relays for sites that are        not secure)    -   nnn.0.0.6: MTA 110 is a spam-ware site    -   nnn.0.0.7: MTA 110 is a bad email list server    -   nnn.0.0.8: MTA 110 uses an insecure script    -   nnn.0.0.9: MTA 110 is an open proxy server

If the received IP address reputation response from Reputation Server310 indicates that the IP address of MTA 110 is valid UTM Gateway 330will proceed with the SMTP connection to MTA 110.

In Step 420, a first communication connection is established between UTMGateway 330 and Email Security Appliance 320. In particular, UTM Gateway330 initiates an SMTP connection across internet 120 to port 25 of EmailSecurity Appliance 320. This internet-based communication connection isestablished using the standard SMTP protocol sequence of SYN, SYN-ACKand ACK messaging between UTM Gateway 330 and Email Security Appliance320.

In Step 425, a second communication connection is established betweenUTM Gateway 330 and Email Security Appliance 320. In particular, EmailSecurity Appliance 320 initiates an SMTP connection across internet 120to UTM Gateway 330. However, unlike the first internet-basedcommunication connection between UTM Gateway 330 and Email SecurityAppliance 320 which used the reserved SMTP TCP port 25, Email SecurityAppliance 320 initiates the second internet-based communicationconnection using port 10025 of .sup.-UTM Gateway 330. Use of port 10025of UTM Gateway 330 for the second communication connection, rather thanport 25 of UTM Gateway 330, ensures that the logical path used byunprocessed email from MTA 110 to UTM Gateway 330 differs from thelogical path used for processed email from Email Security Appliance 320to UTM Gateway 330. It is to be understood that an alternative port ofUTM Gateway 330 could be used for the second communication instead ofport 10025. Such alternative port could be one of a range of ports to beused, for example, in the event an Internet Service Provider (ISP) orother firewall is blocking port 10025.

In Step 430, a communication connection is established between UTMGateway 330 and Junk Store 340, In particular, using Network AddressTranslation (“NAT”) redirect as known in the art, UTM Gateway 330establishes a first local communication connection with Junk Store 340.In combination with the second communication connection between EmailSecurity Appliance and WWI Gateway 330, this sets up a communicationpathway from Email Security Appliance 320 through UTM Gateway 330 toJunk Store 340.

In Step 435, a communication connection is established between JunkStore 340 and Mail Server 350. In particular Junk Store 340 initiates asecond local communication connection via an internal SMTP connection toport 25 of Mail Server 350.

In Step 440, UTM Gateway 330 optionally sends email filtering rules(settings) to Email Security Appliance 320. As explained furtherelsewhere herein, the email filtering rules provide Email SecurityAppliance 320 with the information to fitter email for UTM Gateway 330and are sent from UTM Gateway 330 to Email Security Appliance 320 in acustom SMTP Hello (“HELO”) command referred to herein as a SonicWALLHello (“SHLO”) command.

In Step 445, Email Security Appliance 320 sends some or all of the emailfiltering rules to Junk Store 340. In particular, Email SecurityAppliance 320 sends some or all of the email filtering rules through URIGateway 330 to Junk Store 340 using the custom SHLO command. Thisprovides Junk Store 340 with the information necessary to handleprocessed. email as explained elsewhere herein.

In Step 450, UTM Gateway 330 receives email from MTA 110. In particular,MTA 110 sends an email over the internet-based communication connectionestablished between UTM Gateway 330 and MTA 110 in a typical fashion asknown in the art.

In Step 455, UTM Gateway 330 forwards the received email to EmailSecurity Appliance 320. In particular, UTM Gateway 330 forwards theemail across the first internet-based communication connection betweenUTM Gateway 330 and Email Security Appliance 320.

In an optional step (not shown), UTM Gateway 330 scans the SMTP trafficof the email sent by MTA 110 for virus signatures and takes appropriateaction.

In Step 460, Email Security Appliance 320 processes the forwarded emailaccording to the email filtering rules. In particular, Email SecurityAppliance processes the forwarded email according to its filteringcapabilities and the email filtering rules and gives the email afiltered status indicating whether or not it was determined to be spam,phishing, or virus containing email.

In Step 465, Email Security Appliance 320 sends the processed email withthe filtered determination to UTM Gateway 330. In particular, EmailSecurity Appliance 320 sends the processed email with the filtereddetermination across the second interact-based communication connectionto UTM Gateway 330.

In Step 470, UTM Gateway 330 forwards the processed email with thefiltered determination to Junk Store 340. In particular, UTM Gateway 330forwards the processed email with the filtered determination across thefirst local communication connection to Junk Store 340.

In Step 475, Junk Store 340 reviews the filtered determination of thereceived email and handles it in accordance with the filtering rulesreceived in step 445. If the filtered determination of the emailindicates that the email is spam, phishing or contains a virus, then inStep 480, Junk Store 340 quarantines the email, Alternatively, if thespam determination of the email indicates that the email is non-spamand/or is not phishing and/or does not contain a virus, then in Step485, Junk Store 340 forwards the email to Mail Server 350 for delivery.

SHLO commands, as explained elsewhere herein, are optionally used toprovide Email Security Appliance 320 with filtering rules for filterprocessing and are exchanged within an SMTP connection using TCP ports25 and 10025. In one embodiment, SHLO commands are American StandardCode for Information Interchange (“ASCII”) text encoded and use simplename-value pairs to convey information, Names are defined for theexchange of:

-   -   a. Authentication “token”    -   b. Serial number of UTM Gateway 330    -   c. IP address of MTA 110    -   d. IP address reputation mechanism used (e.g., allow list at URI        Gateway 330 and/or Reputation Server 310)    -   e. Action to take for spam, phishing and virus emails (e.g.,        allow, tag, quarantine, reject, delete)

The following is an example of a SHLO message sent by UTM Gateway 330 toEmail Security Appliance 320:

-   -   SHLO sn=94d8f1 hk=a73cf9 ls=q ds=d lp=t dp=q lv=q dv=d        si=“nnnn.nnnn.nn.n” js=1 co=1    -   Where:    -   sn=94d8f1 is the encoded serial number of UTM gateway 330    -   hk=a73cf9 is the authentication token    -   ls=q indicates emails determined to be “likely spam” should be        quarantined    -   ds=d indicates emails determined to be “definite spam” should be        deleted    -   lp=t indicates emails determined to be “likely phishing” should        be tagged    -   dp=q indicates emails determined to be “definite phishing”        should be quarantined    -   lv=q indicates emails determined to be “likely virus” should be        quarantined    -   dv=d indicates emails determined to be “definite virus” should        be deleted    -   si=“nnn.nnn.nn.n” is the IP address of MTA 110    -   js=1 indicates that Junk Store 340 is currently running and        healthy    -   co=1 indicates a status determined by UTM Gateway 330 probing on        status of Email Security Appliance 320

The embodiments discussed herein are illustrative of the presentinvention. As these embodiments of the present invention are describedwith reference to illustrations, various modifications or adaptations ofthe methods and or specific structures described may become apparent tothose skilled in the art. All such modifications, adaptations, orvariations that rely upon the teachings of the present invention, andthrough which these teachings have advanced the art, are considered tobe within the spirit and scope of the present invention. Hence, thedescription and the drawing should not be considered in a limitingsense, as it is understood that the present invention is in no waylimited to only the embodiments illustrated.

What is claimed is:
 1. An email filtering system comprising: a unifiedthreat management gateway that: receives an email from a mail transferagent across a first internet-based communication connection, and checksa reputation of an internet protocol address of the mail transfer agent;an email security appliance that: receives the email from the unifiedthreat management gateway across a second internet-based communicationconnection, processes the email to determine a filtered status of theemail, and sends the email with the filtered status to the unifiedthreat management gateway across a third internet-based communicationconnection; and wherein the unified threat management gateway further:sends the email with the filtered status to a junk store across a localcommunication connection, and sends email filter processing rules to theemail security appliance, wherein the unified threat management gatewaysends email filter processing rules using a custom simple mail transferprotocol HELO command using a transmission control protocol port, andwherein the HELO command comprises ASCII encoded text using name-valuepairs to convey information.
 2. The email filtering system of claim 1,wherein: the first internet-based communication connection isestablished between the unified threat management gateway and the mailtransfer agent; the second internet-based communication connection isestablished between the unified threat management gateway and the mailtransfer agent; the third internet-based communication connection isestablished between the unified threat management gateway and the emailsecurity appliance; and the local communication connection isestablished between the unified threat management gateway and the junkstore.
 3. The email filtering system of claim 1, wherein the junk storequarantines the email with the filtered status when the filtered statusindicates that the email is spam.
 4. The email filtering system of claim1, wherein the junk store quarantines the email with the filtered statusat the junk store when the filtered status indicates that the email isphishing.
 5. The email filtering system of claim 1, wherein the junkstore quarantines the email with the filtered status at the junk storewhen the filtered status indicates that the email contains a virus. 6.The email filtering system of claim 1, wherein the unified threatmanagement gateway checks the internet protocol address of the mailtransfer agent against an allow list and a block list on the unifiedthreat management gateway.
 7. The email filtering system of claim 1,wherein the unified threat management gateway checks the internetprotocol address of the mail transfer agent by communicating with aninternet protocol address reputation service.
 8. The email filteringsystem of claim 1, wherein the first internet-based communicationconnection is a simple mail transfer protocol connection using port 25of the unified threat management gateway.
 9. The email filtering systemof claim 1, wherein the second internet-based communication connectionis a simple mail transfer protocol connection using port 25 of the emailsecurity appliance.
 10. The email filtering system of claim 1, whereinthe third internet-based communication connection is a simple mailtransfer protocol connection using port 10025 of the unified threatmanagement gateway.
 11. The email filtering system of claim 1, whereinthe unified threat management gateway scans the email received from themail transfer agent for viruses before sending the email to the emailsecurity appliance.
 12. The email filtering system of claim 1, whereinthe junk store sends the email with the filtered status to a local mailserver when the filtered status indicates that the email isnon-phishing.
 13. The email filtering system of claim 1, wherein thejunk store sends the email with the filtered status to a local mailserver when the filtered status indicates that the email is non-spam.14. The email filtering system of claim 1, wherein the junk store sendsthe email with the filtered status to a local mail server when thefiltered status indicates that the email does not contain a virus.
 15. Anon-transitory computer-readable storage medium, having embodied thereoninstructions executable to perform a method of filtering email, themethod comprising: receiving an email at a unified threat managementgateway from a mail transfer agent across a first internet-basedcommunication connection; checking a reputation of an internet protocoladdress of the mail transfer agent; sending the email from the unifiedthreat management gateway to an email security appliance across a secondinternet-based communication connection; processing the email at theemail security appliance to determine a filtered status of the email;receiving the email with the filtered status at the unified threatmanagement gateway from the security appliance across a thirdinternet-based communication connection; sending the email with thefiltered status from the unified threat management gateway to a junkstore across a local communication connection; and sending email filterprocessing rules from the unified threat management gateway to the emailsecurity appliance, wherein the unified threat management gateway sendsemail filter processing rules using a custom simple mail transferprotocol HELO command using a transmission control protocol port,wherein the HELO command comprises ASCII encoded text using name-valuepairs to convey information.